- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 8 Jun 2007 01:13:36 +0200
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 23 May were approved:
http://www.w3.org/2007/05/23-wsc-minutes
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC Weekly
23 May 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen_Zurko, jvkrey, Thomas, Chuck_Wade, rachna, Serge,
Hal_Lockhart, staikos, +1.908.707.aabb, bill-d, johnath, luis,
asaldhan, beltzner, tyler, PHB, yngve
Regrets
Shawn, Bruno, Rishikesh
Chair
MEZ
Scribe
jvkrey
Contents
* [4]Topics
1. [5]approving last meeting's minutes
2. [6]action items
3. [7]agenda bashing
4. [8]lightening discussions
5. [9]Secure Letterhead
6. [10]robust security indicators
7. [11]wsc-usecases update
8. [12]f2f agenda review
* [13]Summary of Action Items
__________________________________________________________________
approving last meeting's minutes
<tlr> [14]http://www.w3.org/2007/05/16-wsc-minutes
Mez: last minutes approved
action items
Mez: no objections?
agenda bashing
Mez: anyone wants to change the agenda?
<tlr> -nope-
<PHB> trying to get here
<tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler
<tlr> [16]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/
tlr: make sure your mac address of your wireless card is in the
questionaire, otherwise you will not have internet access in Dublin
<staikos> trinity is very strict about the mac address thing
tlr: another f2f, between Dublin and November
<tlr> [17]http://www.w3.org/2002/09/wbs/39814/f2f3sched/
tlr: another questionaire about such a f2f, please answer it before you
go to Dublin
<rachna_> is Mike coming to Dublin or calling in?
lightening discussions
Secure Letterhead
PHB: secure letterhead, means communicating the brand to the customer
... if we are going to put the brand infront of the customer, it has to
be secure and trustworthy
... Using EV certificates
... combined, secure chrome, x509 logo type gives secure letter head
... There are 3 slots for logo; subject, community and issuer logos
... community logo allows space to extend accreditation criteria.
bill-d: addessing many of the same issues as came up on EV
bill-d: how to verify?
<staikos> but no-one knows who the issuers are ;)
PHB: Demos, don't display subject logo, unless there is a issuer logo.
<johnath> staikos: we won't help that by continuing not to show them.
:)
<asaldhan> can someone give me the wiki link for PHB's secure letter
head description
<Mez> there is none; sorry
<Mez> there will be one in the action item follow up :-)
PHB: issuer's brand name will be linked to the subject logo
<Mez> but for now, we need to listen (which can be hard, I agree,
without any text)
PHB: subject might not be honest, accountabiltiy for issuer
johnath: what kind of UI is envisioned for this?
PHB: see the secure letterhead "plugin"
<hal> I suggest a couple of screen shots
<Mez> +1 hal
PHB: it is not ready for "prime time", yet
... if you look at IE7, to the right of the green address bar you will
see the logo
Chuck: what happens when you want multiple community logos ?
<Chuck> There's the reverse situation, where the "community" would want
to set policy for CA issuers
<serge> So beyond spoofing chrome in picture in picture attacks, most
users can't even tell between chrome and content
<Zakim> johnath, you wanted to note that EV doesn't have rules for
logotype
johnath: logotype and EV are not specified
<PHB2> The CABForum 1.0 guidelines do not make any statement on logos,
it is silent
<PHB2> It is entirely valid to issue an EV cert today
rachna_: spoofing issues; chrome vs content
<tlr> ACTION: Hallam-Baker to introduce Secure Letterhead item in the
wiki - due 2007-05-30 [recorded in
[18]http://www.w3.org/2007/05/23-wsc-minutes.html#action01]
<trackbot> Created ACTION-220 - introduce Secure Letterhead item in the
wiki [on Phillip Hallam-Baker - due 2007-05-30].
<PHB2> an EV cert weith letterhead
robust security indicators
<PHB2> There is already a major application product deployed that has
logotype functionality built in, it is not yet enabled
<tlr> [19]http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators
Mez: Making security indicators robust from spoofing attacks
<PHB2> So CABForum definitely needs to address this and it was in fact
due for discussion at the last meeting (but was not discussed)
<staikos> uh
<staikos> ??
<PHB2> WRT Rachna's issue, yes icons are a very very powerful tool,
that is why I want to use them.
<tlr> if you still hear us, all is well, and it's just zakim confused
<staikos> I do not
<tlr> in that case, retry
<PHB2> I regard a good test of the user interface to be if it is
dangerous in that fashion.
Mez: three issues; 1) Make it hard to guess, 2) ??, 3) how to create
such a chrome
<serge> It seems there are two different issues here: making the
indicators secure from spoofing, and conveying that to users
bill-d: what is robustness?
Mez: robustness is, something that can make something hard hard to
spoof.
... techniques to not allow content to emulate security indicators
<rachna_> I think robustness can be accomplished by 1) making
indicators hard to predict by attackers (customization) 2) generated in
a way only the user can generate (secure action sequence)
<PHB2> I would like to do double-blind trials of the schemes, show a
genuine site and a phishing site with and without the security
indicators. The power of the indicator is determined by the extent to
which it is relied on. If an indicator is strong it should cause people
to trust the phishing site and the absence should cause people not to
trust the genuine site.
<tlr> that were the 5 min indeed
serge: as long as the content looks good, the security indicators are
ignored. How do we handle that?
<rachna_> PHB: to add to your study, you also need to study the
condition where there is an absence of indicators in the chrome and
they are present in the webpage. This is a low cost attack that will be
very effective.
<PHB2> rachna: very true, in fact I would suggest that we need to
rethink the whole issue of security usability testing. The Microsoft
study illustrates an unfortunate fact that a study with three sample
points seems to trump a deployment study with a few tens of millions of
data points :-)
rachna_: robustness and usability are separated on the f2f
<tlr> ACTION: zurko to match RobustSecurityIndicators against other
proposals; ensure nothing gets lost [recorded in
[20]http://www.w3.org/2007/05/23-wsc-minutes.html#action02]
<trackbot> Created ACTION-221 - Match RobustSecurityIndicators against
other proposals; ensure nothing gets lost [on Mary Ellen Zurko - due
2007-05-30].
<tlr> ACTION-221 due June 8
wsc-usecases update
Mez: that's it for the lightening discussions. If you want to hold one,
please contact Mez.
<tlr> not WS!
tlr: we should get out an updated draft of the use case document around
the time of the f2f
<tlr>
[21]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html
Mez: how do we incorporate deadlines for the drafts?
tlr: that's why we have last call drafts
<Zakim> rachna, you wanted to get back to f2f agenda... is there a
reason that we are discussing robustness and usability testing
separately at the meeting?
Tyler: Will have to post the current snapshot of our document by
tomorrow, to make it by June 2
<tlr>
[22]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html
Mez: can we get Thomas' changes into the document?
Tyler: yes
Mez: anyone has any issues with posting the current draft?
<tlr> RESOLUTION: publish current state of wsc-usecases as public
working draft
<tlr> ACTION: thomas to work with Tyler to ensure publication of
updated draft [recorded in
[23]http://www.w3.org/2007/05/23-wsc-minutes.html#action03]
<trackbot> Created ACTION-222 - Work with Tyler to ensure publication
of updated draft [on Thomas Roessler - due 2007-05-30].
<tlr> 61# mutes
<tlr> 60# unmutes
<tlr> Zakim seems sick
<staikos> no
<staikos> oh yes you are
<staikos> I think so
<tlr> it's a bit better
<tlr> mez, keep talking
<Chuck> The problem appears to be with the bridge, perhaps due to
varying delay due to VoIP artifacts
<johnath> you're clear at the moment
<johnath> (@ Mez)
Mez: any problems with putting out the first public working draft?
tlr: start walking through the individual recommendations at the f2f,
this might give us better understanding of the issues at hand.
Tyler: it is important to have good conformance recommendations.
<Mez> it's a good point; what is it we need from a fpwd? I too have
been assuming it's enough to start prototyping and testing
tlr: concern; some of the proposals might not be concrete enough
<Mez> doesn't testing come before making sure what is tested can be
conformed to?
<tlr> [24]http://www.w3.org/TR/UAAG/
hal: are there models from other w3c groups for specifications of user
interfaces?
tlr: might be worth to have a look at the usability and accessibilty
guidelines
<rachna_> another example are previous usability tests. Some studies
test abstract ideas (e.g., a security warning on a toolbar) rather than
a specific implementation (e.g., the NetCraft toolbar).
PHB: must use high level language in the recommendations. Not too many
details
<PHB2> ??? did we just lose sound?
<Mez> yes
<Mez> I can hear you
<Mez> but it's lousey
<Tyler> I can hear TLR
<Mez> yeah, it's ok
<Mez> there's a bit of tinny reverb
<PHB2> not getting anything
<Mez> I hear him phil
tlr: a section for techniques on how to implement a recommendation
<Mez> prototype creator can be confident it reflects the
recommendation, and it's good enough to design some tests
<tlr> Editors draft of recommendations Deadline May 14, two weeks
before next f2f
<Mez> tlr, please type in which parts you think have slipped already
<Mez> which item on the timeline?
<Mez> I don't see "close enough"
tlr: I think we might be slipping the editor's draft of the
recommendation
<tlr> Editors draft of recommendations Deadline May 14, two weeks
before next f2f
<Mez> ah, yes, that was May 14 and we did not make that; thanks
<Mez> When is Shawn getting out the editor's draft?
Tyler: this week
<Mez> by the 25th
Mez: how do we decide wether or not go to the first public working
draft?
tlr: we need to have som notion on what conformance is
<tlr>
[25]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html
<tlr> ACTION: thomas to propose prioritization of rec template elements
[recorded in
[26]http://www.w3.org/2007/05/23-wsc-minutes.html#action04]
<trackbot> Created ACTION-223 - Propose prioritization of rec template
elements [on Thomas Roessler - due 2007-05-30].
Tyler: we need a cut off date for making recommendation proposals
<tlr> ACTION: zurko to propose cut-off date for fitting rec proposals
into template [recorded in
[27]http://www.w3.org/2007/05/23-wsc-minutes.html#action05]
<trackbot> Created ACTION-224 - Propose cut-off date for fitting rec
proposals into template [on Mary Ellen Zurko - due 2007-05-30].
<tlr>
[28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html
f2f agenda review
<tlr> adjourned
Summary of Action Items
[NEW] ACTION: Hallam-Baker to introduce Secure Letterhead item in the
wiki - due 2007-05-30 [recorded in
[29]http://www.w3.org/2007/05/23-wsc-minutes.html#action01]
[NEW] ACTION: thomas to propose prioritization of rec template elements
[recorded in
[30]http://www.w3.org/2007/05/23-wsc-minutes.html#action04]
[NEW] ACTION: thomas to work with Tyler to ensure publication of
updated draft [recorded in
[31]http://www.w3.org/2007/05/23-wsc-minutes.html#action03]
[NEW] ACTION: zurko to match RobustSecurityIndicators against other
proposals; ensure nothing gets lost [recorded in
[32]http://www.w3.org/2007/05/23-wsc-minutes.html#action02]
[NEW] ACTION: zurko to propose cut-off date for fitting rec proposals
into template [recorded in
[33]http://www.w3.org/2007/05/23-wsc-minutes.html#action05]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [34]scribe.perl version 1.128
([35]CVS log)
$Date: 2007/06/07 23:12:33 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0110.html
3. http://www.w3.org/2007/05/23-wsc-irc
4. http://www.w3.org/2007/05/23-wsc-minutes#agenda
5. http://www.w3.org/2007/05/23-wsc-minutes#item01
6. http://www.w3.org/2007/05/23-wsc-minutes#item03
7. http://www.w3.org/2007/05/23-wsc-minutes#item04
8. http://www.w3.org/2007/05/23-wsc-minutes#item05
9. http://www.w3.org/2007/05/23-wsc-minutes#item06
10. http://www.w3.org/2007/05/23-wsc-minutes#item07
11. http://www.w3.org/2007/05/23-wsc-minutes#item08
12. http://www.w3.org/2007/05/23-wsc-minutes#item09
13. http://www.w3.org/2007/05/23-wsc-minutes#ActionSummary
14. http://www.w3.org/2007/05/16-wsc-minutes
15. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler
16. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/
17. http://www.w3.org/2002/09/wbs/39814/f2f3sched/
18. http://www.w3.org/2007/05/23-wsc-minutes.html#action01
19. http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators
20. http://www.w3.org/2007/05/23-wsc-minutes.html#action02
21. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html
22. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html
23. http://www.w3.org/2007/05/23-wsc-minutes.html#action03
24. http://www.w3.org/TR/UAAG/
25. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html
26. http://www.w3.org/2007/05/23-wsc-minutes.html#action04
27. http://www.w3.org/2007/05/23-wsc-minutes.html#action05
28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html
29. http://www.w3.org/2007/05/23-wsc-minutes.html#action01
30. http://www.w3.org/2007/05/23-wsc-minutes.html#action04
31. http://www.w3.org/2007/05/23-wsc-minutes.html#action03
32. http://www.w3.org/2007/05/23-wsc-minutes.html#action02
33. http://www.w3.org/2007/05/23-wsc-minutes.html#action05
34. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
35. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 7 June 2007 23:13:45 UTC